On Friday 18 January 2008 18:32:57 Brennan, William C wrote: > Okay, that's valuable, but I see I did not describe my problem precisely > enough. Let me try this again. How do I configure parameters for > auditctl to make an audit record every time a PARTICULAR file is > executed?
You use file watches: auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed There are examples of this in the CAPP & LSPP rules. You can find this by 'rpm -ql audit | grep lspp' -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
